Allow Web Page To Be Rendered Inside HTML Frame

spring-security x-frame-options clickjacking
haizpt picture haizpt · Jan 21, 2015 · Viewed 22k times · Source

I have two web applications: web application (web-app) and report web. I want to embedded report web in web-app in a <iframe>. So it refused by Browser with the error:

X-Frame-Options: DENY

Any help?

Answer

m c picture m c · Jan 27, 2015

The value of X-Frame-options can be DENY (default), SAMEORIGIN, and ALLOW-FROM uri. According to Spring Security documentation you can tell Spring to overwrite the default behaviour adding your custom header that way:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .headers()
            .addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.yourhostname.com"))))
    ...
}

and Spring shall append X-Frame-Options: ALLOW-FROM ... or

 .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

for X-Frame-Options: SAMEORIGIN or make it completely disable by

http.headers().frameOptions().disable()

Related questions

How to disable 'X-Frame-Options' response header in Spring Security?

I have CKeditor on my jsp and whenever I upload something, the following error pops out: Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'. …

Read More
how do I set X-Frame-Options response header to allow-from value(s) using spring java config?

How do I set X-Frame-Options response header with a value of allow-from using spring java config? http.headers().disable() .addHeaderWriter(new XFrameOptionsHeaderWriter( new WhiteListedAllowFromStrategy( Arrays.asList("https://example1.com", "https://example2.com")))); In Http Response headers I get: X-Frame-Options:"ALLOW-FROM …

Read More
How to fix Hibernate LazyInitializationException: failed to lazily initialize a collection of roles, could not initialize proxy - no Session

In the custom AuthenticationProvider from my spring project, I am trying read the list of authorities of the logged user, but I am facing the following error: org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: com.horariolivre.…

Read More